Not so Secure Invoicing

There are three companies authorized to distribute Cisco products to government
resellers: Comstor, Ingram Micro, and Tech
Data. I recently switched which one I purchase from. I just received the below email with my first invoice from them. The blue bar at the top left and the four blue links on the right side all link to Striata's website. All five links include my seven digit account number. I'm thinking of switching back.

My intention in posting this was not to shame anyone. Most vendors just send invoices in emails in cleartext anyway. I just got a laugh out of what some people consider "secure" and thought I'd pass it along. As far as I know Striata's product works well when used as designed. I notified the vendor of the problem before posting here. I only gave you a choice of three vendors to show this wasn't from some mom-and-pop shop. We all make mistakes, I'm chalking this one up to human error. Let he who is without fault...

Retards. Are they under some false impression that SSL encryption covers the initial HTTP GET?

And what makes you think it doesn't?

More problematic is that the links are stored unencrypted in the email body, which has likely passed through many unencrypted connections on the way from the bank, and now probably resides on the service provider's server, still not encrypted.

No, there are other things in the link, like my email address. But the point is, if you read the 3 steps on the left side in the email, the "password" to open the "secure" invoice attached to the email is my 7 digit account number. Anyone with half a brain who intercepted the email would see a 7 digit number in the links and give it a try. There is no good reason for the links to download the secure reader and read instructions on how to use it to include the password to open the attachment.

Retards. Are they under some false impression that SSL encryption covers the initial HTTP GET?

And what makes you think it doesn't?

More problematic is that the links are stored unencrypted in the email body, which has likely passed through many unencrypted connections on the way from the bank, and now probably resides on the service provider's server, still not encrypted.

Wow, you two guys can tell all that just by hovering your mouse over the image of a hyperlink in a jpg?